#FightThePhish: Deconstructing the tsunami of cyber risks – a practical quantitative approach

In last week’s blog, we discussed ransomware, which is a type of malicious cyberattack that has been increasingly affecting US organizations at an alarming rate, demanding payments from victims in order to restore access to their own crucial data, and disturbing or even completely impeding business activity. However, it’s important to note that there are multiple ways in which ransomware attacks can wreak havoc through an organization – the most popular being a social engineering tactic called ‘phishing’.

Image illustrating phishing. It showcases an attacker coming out of a laptop holding a fishing pole to another laptop with an email envelope on it.

Phishing – an ‘American’ problem?

Phishing involves fraudulent messages sent by an attacker to obtain sensitive information or to install malicious software on the victim’s systems, such as ransomware. Global consultancy Deloitte stated in a recent article that “phishing is the number one delivery vehicle for ransomware”, and the Federal Bureau of Investigation (FBI) noted that in 2020, phishing was the most frequent form of cybercrime, with 241,342 victims compared to 114,702 in 2019. Furthermore, it seems that the United States is disproportionately affected by phishing attacks, with 74% of US organizations experiencing a successful phishing attack in 2020, which is 30% more than the global average and a 14% increase on 2019.

Thus, it comes as no surprise that, with the occasion of US Cybersecurity Awareness Month, this year the Cybersecurity and Infrastructure Security Agency (CISA) has decided that the second week in October should be dedicated to raising awareness of and equipping organizations with the skills to protect themselves against phishing attacks.

With the theme for this week and all of the worrying statistics above taken into consideration, it’s clear that we need to…

#FightThePhish

In Acuity’s experience with helping businesses better manage their cyber risks, the industry ‘golden standard’ of adopting a risk-based approach first and foremost demands getting both leadership and the wider organization to embed cybersecurity in the culture and everyday practices of employees. After all, there is no managing risk where you do not know it.  

How, though, can you ensure that the human element of cybersecurity – the leading culprit for phishing attacks – is managed in an appropriate way, so that your business can withstand the inevitable exposure to risk?

This is a particular challenge – especially as information security and IT teams are expected to ‘do more with less’. And, with the cybersecurity skills gap persisting (meaning that a lot of organizations won’t have specialist knowledge to rely on), as well as statistics showing that company-wide cybersecurity training is most often a tick-box exercise rather than the continual learning practice it should be, the issue becomes even trickier. Therefore, you need to be able to decide where to allocate your limited cybersecurity budget, to ensure you’re protected where and when it matters most.

Quantifying risk to prioritize scarce resources

In our experience supporting organizations of all sizes make better decisions so that they can manage their cyber risks more aptly and efficiently, we’ve found that qualitative approaches to risk assessments, such as risk heat maps, often fall short. They typically can’t address the uncertainty in severity or frequency of cyber loss events and are consequently unable to model potential financial loss, which means that organizations don’t have a clear or accurate view of their exposure when they set their cybersecurity priorities.

The CISOs and security teams we work with have, however, started seeing the many benefits of using a practical quantitative approach to risk assessments, such as Monte Carlo analysis. This approach allows them to perform risk-based prioritization of security improvements and model return on investment (ROI) from potential security investments, meaning that they can report and financially justify to the Board where and how their security posture can be improved.

Acuity’s Founder and CEO Simon Marvell detailed the benefits of practical quantitative risk assessment methods in a recent webinar, which is now available to watch on-demand. However, if you’d like to discuss how you can ‘do more with less’ and make better risk-based decisions, contact us now to speak to one of our experts.